Merge branch 'main' of https://github.com/stackabletech/ci

Author: dervoeti

tools/harbor_sbom_browser/Cargo.lock

@@ -8,7 +8,7 @@ edition = "2021"
 [dependencies]
 axum = "0.7.4"
 axum-extra = { version = "0.9.2", features = ["erased-json"] }
-base64 = "0.21.7"
+base64 = "0.22.0"
 futures = "0.3.30"
 lazy_static = "1.4.0"
 regex = "1.10.3"

tools/harbor_sbom_browser/Cargo.toml

@@ -49,7 +49,6 @@ lazy_static! {
 pub async fn render_as_html(
     State(cached_rendered_artifact_tree): State<CachedObject<Html<String>>>,
 ) -> Result<Html<String>, ArtifactTreeError> {
-
     // if the artifact tree is already cached, return it
     if let Some(html) = cached_rendered_artifact_tree.get() {
         return Ok(html);

tools/harbor_sbom_browser/src/handlers/artifact_tree.rs

@@ -1,98 +1,15 @@
-use crate::structs::{Dsse, InTotoAttestation};
 use axum::{
     extract::Path,
-    http::{header, HeaderMap, StatusCode},
-    response::{IntoResponse, Response},
+    http::{header, HeaderMap},
 };
 use axum_extra::response::ErasedJson;
-use base64::prelude::*;
-use lazy_static::lazy_static;
-use regex::Regex;
-use snafu::{ResultExt, Snafu};
-use std::process::Command;
-use strum::{EnumDiscriminants, IntoStaticStr};
-use tracing::error;
 
-lazy_static! {
-    static ref SHA256_REGEX: Regex = Regex::new(r"^[a-f0-9]{64}$").unwrap();
-    static ref ALPHANUMERIC_REGEX: Regex = Regex::new(r"^[a-zA-Z0-9\-]+$").unwrap();
-}
-
-#[derive(Snafu, Debug, EnumDiscriminants)]
-#[strum_discriminants(derive(IntoStaticStr))]
-#[snafu(visibility(pub))]
-#[allow(clippy::enum_variant_names)]
-pub enum DownloadSbomError {
-    #[snafu(display("invalid repository or digest"))]
-    InvalidSbomParameters,
-    #[snafu(display("failed to verify SBOM"))]
-    SbomVerification {
-        cosign_stdout: String,
-        cosign_stderr: String,
-        cosign_status: std::process::ExitStatus,
-    },
-    #[snafu(display("cannot parse DSSE"))]
-    ParseDsse { source: serde_json::Error },
-    #[snafu(display("cannot decode DSSE payload"))]
-    DecodeDssePayload { source: base64::DecodeError },
-    #[snafu(display("cannot parse DSSE payload as string"))]
-    ParseDssePayloadAsString { source: std::str::Utf8Error },
-    #[snafu(display("cannot parse in-toto attestation"))]
-    ParseInTotoAttestation { source: serde_json::Error },
-    #[snafu(display("failed to execute cosign"))]
-    CosignExecution { source: std::io::Error },
-}
-
-impl IntoResponse for DownloadSbomError {
-    fn into_response(self) -> Response {
-        error!("error: {:?}", self);
-        (
-            StatusCode::INTERNAL_SERVER_ERROR,
-            format!("Something went wrong: {}", self),
-        )
-            .into_response()
-    }
-}
+use crate::utils::{verify_attestation, DownloadSbomError};
 
 pub async fn download(
     Path((repository, digest)): Path<(String, String)>,
 ) -> Result<(HeaderMap, ErasedJson), DownloadSbomError> {
-    if !SHA256_REGEX.is_match(&digest) || !ALPHANUMERIC_REGEX.is_match(&repository) {
-        return Err(DownloadSbomError::InvalidSbomParameters);
-    }
-    let cmd_output = Command::new("cosign")
-        .arg("verify-attestation")
-        .arg("--type")
-        .arg("cyclonedx")
-        .arg("--certificate-identity-regexp")
-        .arg("^https://github.com/stackabletech/.+/.github/workflows/.+@.+")
-        .arg("--certificate-oidc-issuer")
-        .arg("https://token.actions.githubusercontent.com")
-        .arg(format!(
-            "oci.stackable.tech/sdp/{}@sha256:{}",
-            repository, digest
-        ))
-        .output()
-        .context(CosignExecutionSnafu)?;
-
-    let output = String::from_utf8_lossy(&cmd_output.stdout);
-    if !cmd_output.status.success() {
-        let stderr_output = String::from_utf8_lossy(&cmd_output.stderr);
-        return Err(DownloadSbomError::SbomVerification {
-            cosign_stdout: output.to_string(),
-            cosign_stderr: stderr_output.to_string(),
-            cosign_status: cmd_output.status,
-        });
-    }
-
-    let dsse = serde_json::from_str::<Dsse>(&output).context(ParseDsseSnafu)?;
-    let attestation_bytes = BASE64_STANDARD
-        .decode(dsse.payload)
-        .context(DecodeDssePayloadSnafu)?;
-    let attestation_string =
-        std::str::from_utf8(&attestation_bytes).context(ParseDssePayloadAsStringSnafu)?;
-    let attestation = serde_json::from_str::<InTotoAttestation>(attestation_string)
-        .context(ParseInTotoAttestationSnafu)?;
+    let attestation = verify_attestation(&repository, &digest).await?;
     let mut headers = HeaderMap::new();
     headers.insert(header::CONTENT_TYPE, "application/json".parse().unwrap());
     headers.insert(

tools/harbor_sbom_browser/src/handlers/sbom.rs

@@ -3,6 +3,8 @@ use structs::CachedObject;
 
 pub mod handlers;
 pub mod structs;
+mod utils;
+
 use crate::handlers::*;
 
 #[tokio::main]

tools/harbor_sbom_browser/src/main.rs

@@ -0,0 +1,95 @@
+use crate::structs::{Dsse, InTotoAttestation};
+use axum::http::StatusCode;
+use axum::response::{IntoResponse, Response};
+use base64::prelude::BASE64_STANDARD;
+use base64::Engine;
+use lazy_static::lazy_static;
+use regex::Regex;
+use snafu::ResultExt;
+use snafu::Snafu;
+use std::process::Command;
+use strum::{EnumDiscriminants, IntoStaticStr};
+use tracing::error;
+
+lazy_static! {
+    static ref SHA256_REGEX: Regex = Regex::new(r"^[a-f0-9]{64}$").unwrap();
+    static ref ALPHANUMERIC_REGEX: Regex = Regex::new(r"^[a-zA-Z0-9\-]+$").unwrap();
+}
+
+#[derive(Snafu, Debug, EnumDiscriminants)]
+#[strum_discriminants(derive(IntoStaticStr))]
+#[snafu(visibility(pub))]
+#[allow(clippy::enum_variant_names)]
+pub enum DownloadSbomError {
+    #[snafu(display("invalid repository or digest"))]
+    InvalidSbomParameters,
+    #[snafu(display("failed to verify SBOM"))]
+    SbomVerification {
+        cosign_stdout: String,
+        cosign_stderr: String,
+        cosign_status: std::process::ExitStatus,
+    },
+    #[snafu(display("cannot parse DSSE"))]
+    ParseDsse { source: serde_json::Error },
+    #[snafu(display("cannot decode DSSE payload"))]
+    DecodeDssePayload { source: base64::DecodeError },
+    #[snafu(display("cannot parse DSSE payload as string"))]
+    ParseDssePayloadAsString { source: std::str::Utf8Error },
+    #[snafu(display("cannot parse in-toto attestation"))]
+    ParseInTotoAttestation { source: serde_json::Error },
+    #[snafu(display("failed to execute cosign"))]
+    CosignExecution { source: std::io::Error },
+}
+
+impl IntoResponse for DownloadSbomError {
+    fn into_response(self) -> Response {
+        error!("error: {:?}", self);
+        (
+            StatusCode::INTERNAL_SERVER_ERROR,
+            format!("Something went wrong: {}", self),
+        )
+            .into_response()
+    }
+}
+
+pub async fn verify_attestation(
+    repository: &str,
+    digest: &str,
+) -> Result<InTotoAttestation, DownloadSbomError> {
+    if !SHA256_REGEX.is_match(digest) || !ALPHANUMERIC_REGEX.is_match(repository) {
+        return Err(DownloadSbomError::InvalidSbomParameters);
+    }
+    let cmd_output = Command::new("cosign")
+        .arg("verify-attestation")
+        .arg("--type")
+        .arg("cyclonedx")
+        .arg("--certificate-identity-regexp")
+        .arg("^https://github.com/stackabletech/.+/.github/workflows/.+@.+")
+        .arg("--certificate-oidc-issuer")
+        .arg("https://token.actions.githubusercontent.com")
+        .arg(format!(
+            "oci.stackable.tech/sdp/{}@sha256:{}",
+            repository, digest
+        ))
+        .output()
+        .context(CosignExecutionSnafu)?;
+
+    if !cmd_output.status.success() {
+        let stderr_output = String::from_utf8_lossy(&cmd_output.stderr);
+        return Err(DownloadSbomError::SbomVerification {
+            cosign_stdout: String::from_utf8_lossy(&cmd_output.stdout).to_string(),
+            cosign_stderr: stderr_output.to_string(),
+            cosign_status: cmd_output.status,
+        });
+    }
+
+    let output = String::from_utf8_lossy(&cmd_output.stdout);
+    let dsse = serde_json::from_str::<Dsse>(&output).context(ParseDsseSnafu)?;
+    let attestation_bytes = BASE64_STANDARD
+        .decode(dsse.payload)
+        .context(DecodeDssePayloadSnafu)?;
+    let attestation_string =
+        std::str::from_utf8(&attestation_bytes).context(ParseDssePayloadAsStringSnafu)?;
+    serde_json::from_str::<InTotoAttestation>(attestation_string)
+        .context(ParseInTotoAttestationSnafu)
+}

tools/harbor_sbom_browser/src/utils.rs

@@ -9,6 +9,7 @@
 platform_name = None
 k8s_version = None
 operator_version = None
+test_script_params = None
 git_branch = None
 beku_suite = None
 metadata_annotations = {}
@@ -85,12 +86,14 @@ def read_params():
         - GIT_BRANCH
         - BEKU_SUITE
         - OPERATOR_VERSION
+        - TEST_SCRIPT_PARAMS
         - METADATA_ANNOTATION_xyz
     """
     global testsuite_name
     global platform_name
     global k8s_version
     global operator_version
+    global test_script_params
     global git_branch
     global beku_suite
     global metadata_annotations
@@ -107,6 +110,8 @@ def read_params():
     platform_name, k8s_version = read_platform_and_k8s_version()
     if 'OPERATOR_VERSION' in os.environ:
         operator_version = os.environ["OPERATOR_VERSION"]
+    if 'TEST_SCRIPT_PARAMS' in os.environ:
+        test_script_params = os.environ["TEST_SCRIPT_PARAMS"]
     if 'GIT_BRANCH' in os.environ:
         git_branch = os.environ["GIT_BRANCH"]
     if 'BEKU_SUITE' in os.environ:
@@ -219,6 +224,11 @@ def create_testsuite():
         cluster_definition['metadata']['annotations'] = {}
     for key,value in metadata_annotations.items():
         cluster_definition['metadata']['annotations'][key] = value
-
     write_cluster_definition(cluster_definition)
-    write_test_script(testsuite, testsuite_platform_definition['test_params'] if 'test_params' in testsuite_platform_definition else '')
+
+    test_script_params_array = []
+    if 'test_params' in testsuite_platform_definition: 
+        test_script_params_array.append(testsuite_platform_definition['test_params'])
+    if test_script_params:
+        test_script_params_array.append(test_script_params)
+    write_test_script(testsuite, ' '.join(test_script_params_array))

tools/testing-toolbox/create_testsuite.py

@@ -64,6 +64,7 @@
             export PLATFORM_ID=`echo $TEST_PLATFORM | cut -d '<' -f 2 | cut -d '|' -f 1`
             export K8S_VERSION=`echo $TEST_PLATFORM | cut -d '<' -f 2 | cut -d '|' -f 2 | cut -d '>' -f 1`
             export GIT_BRANCH=`echo $GIT_BRANCH_OR_TAG | sed s#origin/##g`
+            export TEST_SCRIPT_PARAM_OPERATOR_NAME=`echo {{ testsuite.name }} | sed s#-operator##g`
 
             # We're using Docker from within a Docker container, so we have to make sure to provide
             # the Docker daemon with the proper absolute path for volume mounts.
@@ -87,7 +88,8 @@
               --env K8S_VERSION=$K8S_VERSION \
               --env GIT_BRANCH=$GIT_BRANCH \
               --env BEKU_SUITE=$BEKU_SUITE \
-              --env OPERATOR_VERSION=$OPERATOR_VERSION \
+              --env OPERATOR_VERSION=NONE \
+              --env TEST_SCRIPT_PARAMS="--operator ${TEST_SCRIPT_PARAM_OPERATOR_NAME}=${OPERATOR_VERSION}" \
               --env METADATA_ANNOTATION_t2.stackable.tech/jenkins-user="${BUILD_USER}" \
               --env METADATA_ANNOTATION_t2.stackable.tech/jenkins-user-id=${BUILD_USER_ID} \
               --env METADATA_ANNOTATION_t2.stackable.tech/jenkins-user-email=${BUILD_USER_EMAIL} \
@@ -127,7 +129,6 @@
           custom-message: |
             *platform:* $TEST_PLATFORM
             *branch or tag:* `$GIT_BRANCH_OR_TAG`
-            *operator version:* `$OPERATOR_VERSION`
             (<$BUILD_URL|Open in classic Jenkins UI>)
             (<${BUILD_URL}artifact/testsuite/target/logs.html|Open logs overview>)
       - description-setter:

tools/testing-toolbox/jjb/custom_test_jobs.j2

@@ -59,7 +59,7 @@
               --env PLATFORM='{{ testsuite.nightly_test.platform }}' \
               --env GIT_BRANCH=main \
               --env BEKU_SUITE=nightly \
-              --env OPERATOR_VERSION=DEV \
+              --env OPERATOR_VERSION=NONE \
               --env METADATA_ANNOTATION_t2.stackable.tech/jenkins-user="${BUILD_USER}" \
               --env METADATA_ANNOTATION_t2.stackable.tech/jenkins-user-id=${BUILD_USER_ID} \
               --env METADATA_ANNOTATION_t2.stackable.tech/jenkins-user-email=${BUILD_USER_EMAIL} \

tools/testing-toolbox/jjb/nightly_test_jobs.j2

@@ -20,13 +20,6 @@
           choices:{% for platform in platforms[testsuite.name] %}
             - {{ platform.display_name }}, {{ platform.version }} <{{ platform.id }}|{{ platform.version }}>{% endfor %}
           description: On which platform should the test run?
-      - extended-choice:
-          name: OPERATOR_VERSION
-          description: Version of the operator (binary) this test should use
-          property-file: /var/jenkins_home/workspace/Available Versions/versions.properties
-          property-key: {{ testsuite.name }}
-          quote-value: false
-          visible-items: 10
       - string:
           name: CLUSTER_NICKNAME
           description: Nickname of the cluster to be created (mandatory)
@@ -74,7 +67,7 @@
               --env TESTSUITE={{ testsuite.name }} \
               --env PLATFORM=$PLATFORM_ID \
               --env K8S_VERSION=$K8S_VERSION \
-              --env OPERATOR_VERSION=$OPERATOR_VERSION \
+              --env OPERATOR_VERSION=NONE \
               --env METADATA_ANNOTATION_t2.stackable.tech/jenkins-user="${BUILD_USER}" \
               --env METADATA_ANNOTATION_t2.stackable.tech/jenkins-user-id=${BUILD_USER_ID} \
               --env METADATA_ANNOTATION_t2.stackable.tech/jenkins-user-email=${BUILD_USER_EMAIL} \